diff --git a/roles/debian/defaults/main.yaml b/roles/debian/defaults/main.yaml new file mode 100644 index 0000000..a861f1c --- /dev/null +++ b/roles/debian/defaults/main.yaml @@ -0,0 +1,49 @@ +vn_first_time: false +vn_witness_checked: false +deb_packages: + - https://apt.verdnatura.es/pool/main/v/vn-host/vn-apt-source_3.0.1_all.deb + - https://apt.verdnatura.es/pool/main/v/vn-host/vn-host_3.0.1_all.deb +grub_user: admin +default_user: user +fail2ban: + email: "{{ sysadmin_mail }}" + bantime: 600 + maxretry: 4 + ignore: "127.0.0.0/8 {{ dc_net }}" + logpath: "/var/log/auth.log" +fail2ban_base_packages: + - fail2ban + - rsyslog +time_server_spain: ntp.roa.es +nagios_packages: + - nagios-nrpe-server + - nagios-plugins-contrib + - monitoring-plugins-basic +base_packages: + - htop + - psmisc + - bash-completion + - screen + - aptitude + - tree + - btop + - ncdu + - debconf-utils + - net-tools + - gpg + - curl + - cloud-guest-utils + - rsync + - parted + - yq +locales_present: + - en_US.UTF-8 + - es_ES.UTF-8 +homes_path: /mnt/homes +autofs_packages: + - nfs-common + - autofs + - libnfs-utils + - autofs-ldap +blacklist_module_kernel: | + blacklist snd_hda_intel diff --git a/roles/debian/files/80-hotplug-cpu-mem.rules b/roles/debian/files/80-hotplug-cpu-mem.rules new file mode 100644 index 0000000..38c16f9 --- /dev/null +++ b/roles/debian/files/80-hotplug-cpu-mem.rules @@ -0,0 +1 @@ +SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1" diff --git a/roles/debian/files/hotplug.cfg b/roles/debian/files/hotplug.cfg new file mode 100644 index 0000000..85e1612 --- /dev/null +++ b/roles/debian/files/hotplug.cfg @@ -0,0 +1 @@ +GRUB_CMDLINE_LINUX_DEFAULT="quiet memhp_default_state=online security=none" diff --git a/roles/debian/files/motd b/roles/debian/files/motd new file mode 100644 index 0000000..1a11bc4 --- /dev/null +++ b/roles/debian/files/motd @@ -0,0 +1,102 @@ +#!/bin/bash + +LABEL="\033[0;32m" +SUBLB="\033[0;36m" +RESET="\033[0m" +BLINK="\033[5m" + +. /etc/os-release + +# Environment + +PRO="\033[1;5;31m" +LAB="\033[0;35m" +VN="\033[0;32m" +UNKNOWN="\033[0;33m" + +FQDN=$(hostname --fqdn) +case "$FQDN" in + *.dc.verdnatura.es) + ENVIRONMENT="${PRO}Production${RESET}" + ;; + *.lab.verdnatura.es) + ENVIRONMENT="${LAB}Laboratory${RESET}" + ;; + *.verdnatura.es) + ENVIRONMENT="${VN}Verdnatura${RESET}" + ;; + *) + ENVIRONMENT="${UNKNOWN}Unknown${RESET}" + ;; +esac + +# Last login + +LAST="$(last -n1 | head -1)" +if [ "$LAST" != "" ] ; then + LAST_LOGIN_USER="$(echo $LAST | cut -d' ' -f1)" + LAST_LOGIN_IP="$(echo $LAST | cut -d' ' -f3)" + LAST_LOGIN_TIME="$(echo $LAST | cut -d' ' -f4-)" + LAST_LOGIN="$LAST_LOGIN_USER ($LAST_LOGIN_IP) $LAST_LOGIN_TIME" +fi + +# Packages + +PACKAGES=$(dpkg-query -W -f='${binary:Package}\n' | wc -l) +SHOW_UPGRADEABLE=0 +USER_UID=$(id -u $USER) +USER_GROUPS=$(id -Gn $USER) + +if [ ${USER_UID} -eq 0 ] ; then + SHOW_UPGRADEABLE=1 +fi +if [[ "${USER_GROUPS}" == *"sysadmin"* ]] ; then + SHOW_UPGRADEABLE=1 +fi +if [ $SHOW_UPGRADEABLE -eq 1 ] ; then + UPGRADEABLE="$(apt list --upgradable 2>/dev/null | tail -n +2 | wc -l)" + + if [ "$UPGRADEABLE" -gt 0 ]; then + UPGRADEABLE_ALERT="${BLINK}($UPGRADEABLE upgradeable)${RESET}" + fi +fi + +# Network and users + +NET_IPS=$(ip -o -4 add sh | tail -n +2 | awk '{printf "\033[0;36m%16s >\033[0m %-15s\n",$2,$4}') +CONNECTED_USERS=$(w | tail -n +2 | awk '{printf "\t%15s %12s %8s %s\n",$1,$3,$4, substr( $0, index($0,$8), index($0,$NF)) }') + +# Logo + +FW="\033[1;37m" +FG="\033[1;32m" +GB="\e[48;5;112m" +GL="\e[48;5;70m" +RS="\e[0m" + +echo -e +echo -e " $GL $GB $RS" +echo -e " $GL $GB $GL $RS $GL $GB $RS" " ${FW}__ __ _ ${FG} _ _ _ ${RS}" +echo -e " $GB $GL $RS $GL $GB $GL $RS" " ${FW}\ \ / /__ _ __ __| |${FG}| \ | | __ _| |_ _ _ _ __ __ _ ${RS}" +echo -e " $GL $GB $RS $GB $GL $RS " " ${FW} \ \ / / _ \ '__/ _' |${FG}| \| |/ _' | __| | | | '__/ _' |${RS}" +echo -e " $GL $GB $RS $GB $GL $RS " " ${FW} \ V / __/ | | (_| |${FG}| |\ | (_| | |_| |_| | | | (_| |${RS}" +echo -e " " " ${FW} \_/ \___|_| \__,_|${FG}|_| \_|\__,_|\__|\__,_|_| \__,_|${RS}" +echo -e " $GL $GB $RS $GB $GL $RS" +echo -e " $GL $GB $GL $RS $GL $GB $RS" +echo -e " $GB $GL $RS" +echo -e + +# Information + +echo -e "${LABEL}Host :${RESET} $FQDN" +echo -e "${LABEL}OS :${RESET} $NAME $(cat /etc/debian_version) ($VERSION_CODENAME)" +echo -e "${LABEL}Kernel :${RESET} $(uname -r)" +echo -e "${LABEL}Shell :${RESET} $SHELL $(echo $BASH_VERSION | cut -d'(' -f1)" +echo -e "${LABEL}Uptime :${RESET} $(uptime -p | tr -d ',')" +echo -e "${LABEL}Packages :${RESET} $PACKAGES $UPGRADEABLE_ALERT" +echo -e "${LABEL}IP :${RESET}" +echo -e "$NET_IPS" +echo -e "${LABEL}Last Login :${RESET} $LAST_LOGIN" +echo -e "${LABEL}Environment :${RESET} $ENVIRONMENT" +echo -e "${LABEL}Connected users :${RESET}" +echo -e "$CONNECTED_USERS" diff --git a/roles/debian/files/profile.sh b/roles/debian/files/profile.sh new file mode 100644 index 0000000..ab1ac12 --- /dev/null +++ b/roles/debian/files/profile.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +# Prompt + +FQDN=$(hostname --fqdn) + +if [[ $FQDN == *.verdnatura.es ]]; then + SHORT_HOST=${FQDN%.verdnatura.es} + + case "$SHORT_HOST" in + *.dc) + ENVIRONMENT="\[\033[01;31m\]PRO\[\033[00m\]" + ;; + *.lab) + ENVIRONMENT="\[\033[01;35m\]LAB\[\033[00m\]" + ;; + *) + ENVIRONMENT="\[\033[01;32m\]VN\[\033[00m\]" + ;; + esac + + PS1="\u@$SHORT_HOST[$ENVIRONMENT]:\w" + + if [ "$(id -u)" -eq 0 ]; then + PS1="$PS1# " + else + PS1="$PS1\$ " + fi +fi + +# History + +HISTSIZE=10000 +HISTFILESIZE=50000 +HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S " + +# Security + +TMOUT=3600 + +# Aliases + +#export LS_OPTIONS='--color=auto' +#eval "$(dircolors)" +#alias ls='ls $LS_OPTIONS' +#alias ll='ls $LS_OPTIONS -l' +#alias la='ls $LS_OPTIONS -la' diff --git a/roles/debian/files/sendmail-common.local b/roles/debian/files/sendmail-common.local new file mode 100644 index 0000000..b389b31 --- /dev/null +++ b/roles/debian/files/sendmail-common.local @@ -0,0 +1,3 @@ +[Definition] +actionstart = +actionstop = diff --git a/roles/debian/files/sysctl/30-basic.conf b/roles/debian/files/sysctl/30-basic.conf new file mode 100644 index 0000000..3c6f393 --- /dev/null +++ b/roles/debian/files/sysctl/30-basic.conf @@ -0,0 +1,4 @@ +vm.swappiness=10 +vm.dirty_ratio=30 +vm.dirty_background_ratio=5 +net.core.somaxconn=65536 diff --git a/roles/debian/files/sysctl/40-network.conf b/roles/debian/files/sysctl/40-network.conf new file mode 100644 index 0000000..46a4e09 --- /dev/null +++ b/roles/debian/files/sysctl/40-network.conf @@ -0,0 +1,7 @@ +net.core.rmem_max=134217728 +net.core.wmem_max=134217728 +net.core.netdev_max_backlog=250000 +net.ipv4.tcp_rmem=4096 87380 67108864 +net.ipv4.tcp_wmem=4096 65536 67108864 +net.ipv4.tcp_congestion_control=htcp +net.ipv4.tcp_mtu_probing=1 diff --git a/roles/debian/files/sysctl/42-noipv6.conf b/roles/debian/files/sysctl/42-noipv6.conf new file mode 100644 index 0000000..81073be --- /dev/null +++ b/roles/debian/files/sysctl/42-noipv6.conf @@ -0,0 +1,3 @@ +net.ipv6.conf.all.disable_ipv6=1 +net.ipv6.conf.default.disable_ipv6=1 +net.ipv6.conf.lo.disable_ipv6=1 \ No newline at end of file diff --git a/roles/debian/files/vimrc.local b/roles/debian/files/vimrc.local new file mode 100644 index 0000000..005d05c --- /dev/null +++ b/roles/debian/files/vimrc.local @@ -0,0 +1,5 @@ +syntax on +set showcmd +set showmatch +set ignorecase +set smartcase diff --git a/roles/debian/handlers/main.yml b/roles/debian/handlers/main.yml new file mode 100644 index 0000000..cc20d9c --- /dev/null +++ b/roles/debian/handlers/main.yml @@ -0,0 +1,42 @@ +- name: restart systemd-timesyncd + systemd: + name: systemd-timesyncd + state: restarted +- name: restart-ssh + systemd: + name: ssh + state: restarted +- name: restart fail2ban + systemd: + name: fail2ban + state: restarted +- name: restart-nrpe + systemd: + name: nagios-nrpe-server + state: restarted +- name: restart sshd + systemd: + name: sshd + state: restarted +- name: restart-sysctl + systemd: + name: systemd-sysctl + state: restarted +- name: restart-nslcd + service: + name: nslcd + state: restarted +- name: restart-ssh + systemd: + name: ssh + state: restarted +- name: restart-autofs + service: + name: autofs + state: restarted +- name: generate locales + command: /usr/sbin/locale-gen +- name: reconfigure tzdata + command: dpkg-reconfigure -f noninteractive tzdata +- name: update exim configuration + command: /usr/sbin/update-exim4.conf diff --git a/roles/debian/tasks/agent.yml b/roles/debian/tasks/agent.yml new file mode 100644 index 0000000..db2b4ee --- /dev/null +++ b/roles/debian/tasks/agent.yml @@ -0,0 +1,4 @@ +- name: Install QEMU guest agent + apt: + name: qemu-guest-agent + state: present diff --git a/roles/debian/tasks/apparmor.yml b/roles/debian/tasks/apparmor.yml new file mode 100644 index 0000000..887d95f --- /dev/null +++ b/roles/debian/tasks/apparmor.yml @@ -0,0 +1,16 @@ +- name: Getting service facts to check for apparmor + service_facts: +- when: "'apparmor.service' in ansible_facts.services" + block: + - name: Stop AppArmor + systemd: + name: apparmor + state: stopped + - name: Disable AppArmor service + systemd: + name: apparmor + enabled: no + - name: Mask AppArmor service + systemd: + name: apparmor + masked: yes \ No newline at end of file diff --git a/roles/debian/tasks/auth.yml b/roles/debian/tasks/auth.yml new file mode 100644 index 0000000..62506be --- /dev/null +++ b/roles/debian/tasks/auth.yml @@ -0,0 +1,25 @@ +- name: Install packages + apt: + name: nslcd + state: present +- name: Configure NSLCD + template: + src: nslcd.conf + dest: /etc/nslcd.conf + owner: root + group: nslcd + mode: '0640' + notify: + - restart-nslcd + register: nslcd +- name: Configure nsswitch to use NSLCD + lineinfile: + dest: /etc/nsswitch.conf + regexp: "{{item.regexp}}" + line: "{{item.line}}" + state: present + with_items: + - regexp: "^passwd:" + line: "passwd: files systemd ldap" + - regexp: "^group:" + line: "group: files systemd ldap" diff --git a/roles/debian/tasks/autofs.yml b/roles/debian/tasks/autofs.yml new file mode 100644 index 0000000..8ae6dde --- /dev/null +++ b/roles/debian/tasks/autofs.yml @@ -0,0 +1,35 @@ +- name: Update apt cache + apt: + update_cache: yes +- name: Install autofs packages + apt: + name: "{{ autofs_packages }}" + state: present +- name: Create homes directory + file: + path: "{{ homes_path }}" + state: directory + mode: '0755' +- name: Configure nsswitch for autofs + lineinfile: + path: /etc/nsswitch.conf + line: "automount: files" +- name: Add file homes.autofs configured to autofs + template: + src: homes.autofs + dest: /etc/auto.master.d/homes.autofs + owner: root + group: root + mode: '0644' +- name: Add file /etc/auto.homes configured to the systemd + template: + src: auto.homes + dest: /etc/auto.homes + owner: root + group: root + mode: '0644' + notify: restart-autofs +- name: Service autofs service + systemd: + name: autofs + enabled: yes \ No newline at end of file diff --git a/roles/debian/tasks/bacula.yml b/roles/debian/tasks/bacula.yml new file mode 100644 index 0000000..8ae1525 --- /dev/null +++ b/roles/debian/tasks/bacula.yml @@ -0,0 +1,53 @@ +- name: Install Bacula FD packages + apt: + name: bacula-fd + state: present +- name: Read content file in base64 + slurp: + src: /etc/bacula/common_default_passwords + register: file_content +- name: Going to text plane + no_log: true + set_fact: + file_content_decoded: "{{ file_content.content | b64decode }}" +- name: Extracting passwords + no_log: true + set_fact: + passwords: "{{ file_content_decoded.splitlines() | select('match', '^[^#]') | map('regex_replace', '^([^=]+)=(.+)$', '\\1:\\2') | list }}" +- name: Initialize password dictionary + set_fact: + bacula_passwords: {} +- name: Convert lines to individual variables generating a new dict + no_log: true + set_fact: + bacula_passwords: "{{ bacula_passwords | combine({item.split(':')[0].lower(): item.split(':')[1] | regex_replace('\\n$', '') }) }}" + loop: "{{ passwords }}" + when: "'FDPASSWD' in item or 'FDMPASSWD' in item" +- name: Configure Bacula FD + template: + src: bacula-fd.conf + dest: /etc/bacula/bacula-fd.conf + owner: root + group: bacula + mode: u=rw,g=r,o= + backup: true + register: bacula_config +- name: Configure master cert + copy: + content: "{{ ca_bacula }}" + dest: /etc/bacula/master-cert.pem + owner: root + group: root + mode: u=rw,g=r,o=r +- name: Configure master cert + copy: + content: "{{ lookup(passbolt, 'fd-cert.pem', folder_parent_id=passbolt_folder).description }}" + dest: /etc/bacula/fd-cert.pem + owner: root + group: bacula + mode: u=rw,g=r,o= +- name: Restart Bacula FD service + service: + name: bacula-fd + state: restarted + when: bacula_config.changed diff --git a/roles/debian/tasks/blacklist.yml b/roles/debian/tasks/blacklist.yml new file mode 100644 index 0000000..7076911 --- /dev/null +++ b/roles/debian/tasks/blacklist.yml @@ -0,0 +1,7 @@ +- name: Configure blacklist modprobe on VM + copy: + content: "{{ blacklist_module_kernel }}" + dest: /etc/modprobe.d/vn-blacklist.conf + owner: root + group: root + mode: u=rw,g=r,o=r \ No newline at end of file diff --git a/roles/debian/tasks/defuser.yml b/roles/debian/tasks/defuser.yml new file mode 100644 index 0000000..b41897b --- /dev/null +++ b/roles/debian/tasks/defuser.yml @@ -0,0 +1,5 @@ +- name: Delete default user + user: + name: "{{ default_user }}" + state: absent + remove: yes diff --git a/roles/debian/tasks/fail2ban.yml b/roles/debian/tasks/fail2ban.yml new file mode 100644 index 0000000..8474033 --- /dev/null +++ b/roles/debian/tasks/fail2ban.yml @@ -0,0 +1,40 @@ +- name: Install fail2ban and rsyslog packages + apt: + name: "{{ fail2ban_base_packages }}" + state: present +- name: Configure sshd_config settings + copy: + dest: /etc/ssh/sshd_config.d/vn-fail2ban.conf + content: | + # Do not edit this file! Ansible will overwrite it. + + SyslogFacility AUTH + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart sshd +- name: Adjust action configuration to reduce noise + copy: + src: sendmail-common.local + dest: /etc/fail2ban/action.d/sendmail-common.local + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart sshd +- name: Configure fail2ban service + template: + src: jail.local + dest: /etc/fail2ban/jail.local + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart fail2ban + register: jail +- name: Ensure file for auth sshd custom log exists + file: + path: /var/log/auth.log + state: touch + owner: root + group: adm + mode: u=rw,g=r,o= + when: jail.changed diff --git a/roles/debian/tasks/grub_startup.yml b/roles/debian/tasks/grub_startup.yml new file mode 100644 index 0000000..cbc6173 --- /dev/null +++ b/roles/debian/tasks/grub_startup.yml @@ -0,0 +1,49 @@ +# Enabled password protection to restrict GRUB editing only, leaving menu entries accessible without authentication. +# Added the --unrestricted option to the custom 09_make_OS_entries_unrestricted template. +# Official GRUB Manual: https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html +# Additional guidance: http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html +# Discussion and troubleshooting: https://wiki.archlinux.org/title/Talk:GRUB/Tips_and_tricks +# To generate a GRUB password, use the command syntax provided by grub-mkpasswd-pbkdf2 --help. +- name: GRUB edit unrestricted option + copy: + content: | + #!/bin/sh + exec tail -n +3 $0 + # This file provides an easy way to add custom menu entries. Simply type the + # menu entries you want to add after this comment. Be careful not to change + # the 'exec tail' line above. + menuentry_id_option="--unrestricted $menuentry_id_option" + dest: /etc/grub.d/09_make_OS_entries_unrestricted + owner: root + group: root + checksum: fed5c365f11a919b857b78207565cf341b86082b + mode: u=rwx,g=rx,o=rx + register: grubunrestricted +- name: Search grub password in Passbolt + no_log: true + set_fact: + grub_code: "{{ lookup(passbolt, 'grub', folder_parent_id=passbolt_folder).description }}" +- name: GRUB edit password protection + copy: + content: | + #!/bin/sh + exec tail -n +3 $0 + set superusers="{{ grub_user }}" + password_pbkdf2 {{ grub_user }} {{ grub_code }} + dest: /etc/grub.d/00_before + owner: root + group: root + mode: u=rwx,g=rx,o=rx + register: grubpass +- name: Change GRUB_TIMEOUT from 5 to 1 + copy: + content: | + GRUB_TIMEOUT=1 + dest: /etc/default/grub.d/timeout.cfg + owner: root + group: root + mode: u=rw,g=r,o=r + register: grubtime +- name: Generate GRUB configuration + command: update-grub + when: grubunrestricted.changed or grubpass.changed or grubtime.changed diff --git a/roles/debian/tasks/hostname.yml b/roles/debian/tasks/hostname.yml new file mode 100644 index 0000000..e1ed68b --- /dev/null +++ b/roles/debian/tasks/hostname.yml @@ -0,0 +1,9 @@ +- name: Set the hostname + hostname: + name: "{{ inventory_hostname_short }}" + use: debian +- name: Populating hosts file with hostname + lineinfile: + path: /etc/hosts + regexp: '^127\.0\.1\.1' + line: '127.0.1.1 {{ hostname_fqdn }} {{ inventory_hostname_short }}' diff --git a/roles/debian/tasks/hotplug.yml b/roles/debian/tasks/hotplug.yml new file mode 100644 index 0000000..ce51e64 --- /dev/null +++ b/roles/debian/tasks/hotplug.yml @@ -0,0 +1,18 @@ +- name: Configure udev hotplug rules + copy: + src: 80-hotplug-cpu-mem.rules + dest: /usr/lib/udev/rules.d/ + mode: u=rw,g=r,o=r + owner: root + group: root +- name: Configure GRUB for hotplug + copy: + src: hotplug.cfg + dest: /etc/default/grub.d/ + mode: u=rw,g=r,o=r + owner: root + group: root + register: grub +- name: Generate GRUB configuration + command: update-grub + when: grub.changed diff --git a/roles/debian/tasks/install.yml b/roles/debian/tasks/install.yml new file mode 100644 index 0000000..396832c --- /dev/null +++ b/roles/debian/tasks/install.yml @@ -0,0 +1,4 @@ +- name: Install base packages + apt: + name: "{{ base_packages }}" + state: present diff --git a/roles/debian/tasks/locale.yml b/roles/debian/tasks/locale.yml new file mode 100644 index 0000000..9063486 --- /dev/null +++ b/roles/debian/tasks/locale.yml @@ -0,0 +1,6 @@ +- name: make sure locales in variable are generated + locale_gen: + name: "{{ item }}" + state: present + with_items: "{{ locales_present }}" + notify: generate locales diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml new file mode 100644 index 0000000..87dcf43 --- /dev/null +++ b/roles/debian/tasks/main.yml @@ -0,0 +1,71 @@ + +- name: Configure virtual machine or host (not LXC) + when: ansible_virtualization_role == 'host' or ansible_virtualization_type == 'kvm' + block: + - import_tasks: hostname.yml + tags: hostname + - import_tasks: sysctl.yml + tags: sysctl + - import_tasks: apparmor.yml + tags: apparmor + +- name: Configure base system (all) + block: + - import_tasks: witness.yml + tags: witness + - import_tasks: root.yml + tags: root + - import_tasks: resolv.yml + tags: resolv + - import_tasks: timesync.yml + tags: timesync + - import_tasks: sshd_configure.yml + tags: sshd_configure + - import_tasks: defuser.yml + tags: defuser + - import_tasks: install.yml + tags: install + - import_tasks: locale.yml + tags: locale + - import_tasks: tzdata.yml + tags: tzdata + - import_tasks: relayhost.yml + tags: relayhost + - import_tasks: motd.yml + tags: motd + - import_tasks: profile.yml + tags: profile + - import_tasks: vim.yml + tags: vim + - import_tasks: nrpe.yml + tags: nrpe + - import_tasks: fail2ban.yml + tags: fail2ban + - import_tasks: bacula.yml + tags: bacula + - import_tasks: vn-repo.yml + tags: vn-repo + +- name: Configure guest + when: ansible_virtualization_role == 'guest' + block: + - import_tasks: auth.yml + tags: auth + - import_tasks: sudoers.yml + tags: sudoers + - import_tasks: ssh_keys.yml + tags: ssh_keys + +- name: Configure virtual machine + when: ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'kvm' + block: + - import_tasks: agent.yml + tags: agent + - import_tasks: hotplug.yml + tags: hotplug + - import_tasks: autofs.yml + tags: autofs + - import_tasks: blacklist.yml + tags: blacklist + - import_tasks: grub_startup.yml + tags: grub_startup diff --git a/roles/debian/tasks/motd.yml b/roles/debian/tasks/motd.yml new file mode 100644 index 0000000..486e705 --- /dev/null +++ b/roles/debian/tasks/motd.yml @@ -0,0 +1,7 @@ +- name: Copy MOTD configuration file + copy: + src: motd + dest: /etc/update-motd.d/90-vn + mode: u=rwx,g=rx,o=rx + owner: root + group: root diff --git a/roles/debian/tasks/nrpe.yml b/roles/debian/tasks/nrpe.yml new file mode 100644 index 0000000..b0aaf5e --- /dev/null +++ b/roles/debian/tasks/nrpe.yml @@ -0,0 +1,22 @@ +- name: Install NRPE packages + apt: + name: "{{ nagios_packages }}" + state: present + install_recommends: no +- name: Set NRPE generic configuration + template: + src: nrpe.cfg + dest: /etc/nagios/nrpe.d/90-vn.cfg + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart-nrpe +- name: Create NRPE local configuration file + file: + path: /etc/nagios/nrpe.d/99-local.cfg + state: touch + owner: nagios + group: nagios + mode: u=rw,g=r,o= + modification_time: preserve + access_time: preserve diff --git a/roles/debian/tasks/profile.yml b/roles/debian/tasks/profile.yml new file mode 100644 index 0000000..e8df993 --- /dev/null +++ b/roles/debian/tasks/profile.yml @@ -0,0 +1,7 @@ +- name: Copy profile configuration file + copy: + src: profile.sh + dest: /etc/profile.d/vn.sh + mode: u=rw,g=r,o=r + owner: root + group: root diff --git a/roles/debian/tasks/relayhost.yml b/roles/debian/tasks/relayhost.yml new file mode 100644 index 0000000..f912812 --- /dev/null +++ b/roles/debian/tasks/relayhost.yml @@ -0,0 +1,33 @@ +- name: Getting service facts to check for postfix + service_facts: +- when: "'postfix.service' not in ansible_facts.services" + block: + - name: Install exim packages + apt: + name: exim4 + state: present + - name: Prepare exim configuration + blockinfile: + path: /etc/exim4/update-exim4.conf.conf + marker_begin: '--- BEGIN VN ---' + marker_end: '--- END VN ---' + marker: "# {mark}" + block: | + dc_eximconfig_configtype='satellite' + dc_other_hostnames='{{ ansible_fqdn }}' + dc_local_interfaces='127.0.0.1' + dc_readhost='{{ ansible_fqdn }}' + dc_smarthost='{{ smtp_server }}' + dc_hide_mailname='true' + state: present + create: yes + mode: u=rw,g=r,o=r + notify: update exim configuration + register: exim_config + - name: Force execution of handlers immediately + meta: flush_handlers + - name: Sending mail to verify relay host configuration works + shell: > + sleep 2; echo "If you see this message, relayhost on {{ ansible_fqdn }} has been configured correctly." \ + | mailx -s "Relayhost test for {{ ansible_fqdn }}" "{{ sysadmin_mail }}" + when: exim_config.changed diff --git a/roles/debian/tasks/resolv.yml b/roles/debian/tasks/resolv.yml new file mode 100644 index 0000000..1ee5af7 --- /dev/null +++ b/roles/debian/tasks/resolv.yml @@ -0,0 +1,22 @@ +- name: Check if DNS is already configured + stat: + path: /etc/resolv.conf + register: resolv_conf +- name: Read /etc/resolv.conf + slurp: + path: /etc/resolv.conf + register: resolv_conf_content + when: resolv_conf.stat.exists +- name: Check if DNS servers are already present + set_fact: + dns_configured: "{{ resolv_conf_content['content'] | b64decode | regex_search('^nameserver') is not none }}" + when: resolv_conf.stat.exists +- name: Apply resolv.conf template only if DNS is not configured + template: + src: templates/resolv.conf + dest: /etc/resolv.conf + owner: root + group: root + mode: u=rw,g=r,o=r + backup: true + when: not resolv_conf.stat.exists or not dns_configured diff --git a/roles/debian/tasks/root.yml b/roles/debian/tasks/root.yml new file mode 100644 index 0000000..9f3d548 --- /dev/null +++ b/roles/debian/tasks/root.yml @@ -0,0 +1,43 @@ +- name: Set the root password changed witness variable + set_fact: + root_pass_changed: "{{ vn_ini.witness.root_pass_changed | default(false) }}" +- when: vn_witness_checked and not root_pass_changed + no_log: true + block: + - name: Search root password in Passbolt + ignore_errors: true + set_fact: + passbolt_password: > + {{ + lookup(passbolt, inventory_hostname_short, + username='root', + uri='ssh://'+hostname_fqdn + ) + }} + - when: passbolt_password is not defined + block: + - name: Generate a random root password + set_fact: + root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}" + - name: Save root password into Passbolt + set_fact: + msg: > + {{ + lookup(passbolt, inventory_hostname_short, + username='root', + password=root_password, + uri='ssh://'+hostname_fqdn+'/' + ) + }} + environment: + PASSBOLT_CREATE_NEW_RESOURCE: true + - name: Change root password + user: + name: root + password: "{{ root_password | password_hash('sha512') }}" + - name: Set root password generated witness + ini_file: + path: /etc/vn.ini + section: witness + option: root_pass_changed + value: true diff --git a/roles/debian/tasks/ssh_keys.yml b/roles/debian/tasks/ssh_keys.yml new file mode 100644 index 0000000..0fd4c6f --- /dev/null +++ b/roles/debian/tasks/ssh_keys.yml @@ -0,0 +1,21 @@ +- name: Set the SSH keys generated witness variable + set_fact: + ssh_keys_generated: "{{ vn_ini.witness.ssh_keys_generated | default(false) }}" +- when: vn_witness_checked and not ssh_keys_generated + block: + - name: Generate SSH key pairs + openssh_keypair: + path: "/etc/ssh/ssh_host_{{ item.type }}_key" + type: "{{ item.type }}" + force: yes + loop: + - { type: 'rsa' } + - { type: 'ecdsa' } + - { type: 'ed25519' } + notify: restart sshd + - name: Set SSH keys generated witness + ini_file: + path: /etc/vn.ini + section: witness + option: ssh_keys_generated + value: true \ No newline at end of file diff --git a/roles/debian/tasks/sshd_configure.yml b/roles/debian/tasks/sshd_configure.yml new file mode 100644 index 0000000..6c6b19d --- /dev/null +++ b/roles/debian/tasks/sshd_configure.yml @@ -0,0 +1,17 @@ +- name: Configure sshd_config settings + copy: + dest: /etc/ssh/sshd_config.d/vn-listenipv4.conf + content: | + # Do not edit this file! Ansible will overwrite it. + ListenAddress 0.0.0.0 + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart sshd +- name: Deploy custom authorized_keys for root + copy: + dest: /root/.ssh/authorized_keys2 + content: "{{ public_keys }}" + owner: root + group: root + mode: u=rw,g=,o= diff --git a/roles/debian/tasks/sudoers.yml b/roles/debian/tasks/sudoers.yml new file mode 100644 index 0000000..45e1d8c --- /dev/null +++ b/roles/debian/tasks/sudoers.yml @@ -0,0 +1,11 @@ +- name: Install sudo package + apt: + name: sudo + state: present +- name: Add sysadmin to sudoers + template: + src: sudoers + dest: /etc/sudoers.d/vn + mode: u=rw,g=r,o= + owner: root + group: root diff --git a/roles/debian/tasks/sysctl.yml b/roles/debian/tasks/sysctl.yml new file mode 100644 index 0000000..aab1e57 --- /dev/null +++ b/roles/debian/tasks/sysctl.yml @@ -0,0 +1,8 @@ +- name: Set systctl custom vn configuration + copy: + src: sysctl/ + dest: /etc/sysctl.d/ + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart-sysctl diff --git a/roles/debian/tasks/timesync.yml b/roles/debian/tasks/timesync.yml new file mode 100644 index 0000000..57d45df --- /dev/null +++ b/roles/debian/tasks/timesync.yml @@ -0,0 +1,28 @@ +- name: Getting service facts to check for timesyncd + service_facts: +- when: "'systemd-timesyncd.service' in ansible_facts.services" + block: + - name: Ensure directory for timesyncd custom configuration exists + file: + path: /etc/systemd/timesyncd.conf.d/ + state: directory + owner: root + group: root + mode: u=rwx,g=rx,o=rx + - name: Configure timesyncd service + copy: + dest: /etc/systemd/timesyncd.conf.d/vn-ntp.conf + content: | + [Time] + NTP={{ time_server }} + FallbackNTP={{ time_server_spain }} + owner: root + group: root + mode: u=rw,g=r,o=r + notify: restart systemd-timesyncd + - name: Ensure timesyncd service is enabled and started + when: "ansible_facts.services['systemd-timesyncd.service'].status == 'enabled'" + service: + name: systemd-timesyncd + enabled: yes + state: started diff --git a/roles/debian/tasks/tzdata.yml b/roles/debian/tasks/tzdata.yml new file mode 100644 index 0000000..3f9bf17 --- /dev/null +++ b/roles/debian/tasks/tzdata.yml @@ -0,0 +1,11 @@ +- name: Configure debconf for tzdata + debconf: + name: tzdata + question: "{{ item.question }}" + value: "{{ item.value }}" + vtype: "string" + loop: + - { question: "tzdata/Areas", value: "Europe" } + - { question: "tzdata/Zones/Europe", value: "Madrid" } + - { question: "tzdata/Zones/Etc", value: "UTC" } + notify: reconfigure tzdata diff --git a/roles/debian/tasks/vim.yml b/roles/debian/tasks/vim.yml new file mode 100644 index 0000000..798a20d --- /dev/null +++ b/roles/debian/tasks/vim.yml @@ -0,0 +1,11 @@ +- name: Install vim packages + apt: + name: vim + state: present +- name: Copy vim configuration file + copy: + src: vimrc.local + dest: /etc/vim/ + mode: u=rw,g=r,o=r + owner: root + group: root diff --git a/roles/debian/tasks/vn-repo.yml b/roles/debian/tasks/vn-repo.yml new file mode 100644 index 0000000..c3db0ca --- /dev/null +++ b/roles/debian/tasks/vn-repo.yml @@ -0,0 +1,4 @@ +- name: Install package + apt: + deb: "{{ item }}" + with_items: "{{ deb_packages }}" diff --git a/roles/debian/tasks/witness.yml b/roles/debian/tasks/witness.yml new file mode 100644 index 0000000..32fb644 --- /dev/null +++ b/roles/debian/tasks/witness.yml @@ -0,0 +1,17 @@ +- name: Check if witness INI file exists + stat: + path: /etc/vn.ini + register: witness_file +- name: Set witness related variables + set_fact: + vn_first_time: "{{ not witness_file.stat.exists }}" + vn_witness_checked: true +- when: not vn_first_time + block: + - name: Slurp witness INI file + slurp: + src: /etc/vn.ini + register: vn_ini_file + - name: Put witness as dictionary into variable + set_fact: + vn_ini: "{{ vn_ini_file.content | b64decode | community.general.from_ini }}" diff --git a/roles/debian/templates/auto.homes b/roles/debian/templates/auto.homes new file mode 100644 index 0000000..8b16230 --- /dev/null +++ b/roles/debian/templates/auto.homes @@ -0,0 +1 @@ +* -fstype=nfs4,rw {{ homes_server }}:{{ homes_path }}/& diff --git a/roles/debian/templates/bacula-fd.conf b/roles/debian/templates/bacula-fd.conf new file mode 100644 index 0000000..0e2d00a --- /dev/null +++ b/roles/debian/templates/bacula-fd.conf @@ -0,0 +1,24 @@ +Director { + Name = bacula-dir + Password = "{{ bacula_passwords.fdpasswd }}" +} +Director { + Name = bacula-mon + Password = "{{ bacula_passwords.fdmpasswd }}" + Monitor = yes +} +FileDaemon { + Name = bacula-fd + WorkingDirectory = /var/lib/bacula + Pid Directory = /run/bacula + Maximum Concurrent Jobs = 20 + Plugin Directory = /usr/lib/bacula + PKI Signatures = Yes + PKI Encryption = Yes + PKI Keypair = "/etc/bacula/fd-cert.pem" + PKI Master Key = "/etc/bacula/master-cert.pem" +} +Messages { + Name = Standard + director = bacula-dir = all, !skipped, !restored +} diff --git a/roles/debian/templates/homes.autofs b/roles/debian/templates/homes.autofs new file mode 100644 index 0000000..c18bad3 --- /dev/null +++ b/roles/debian/templates/homes.autofs @@ -0,0 +1 @@ +{{ homes_path }} /etc/auto.homes --timeout=30 diff --git a/roles/debian/templates/jail.local b/roles/debian/templates/jail.local new file mode 100644 index 0000000..d3840df --- /dev/null +++ b/roles/debian/templates/jail.local @@ -0,0 +1,22 @@ +# Do not edit this file! Ansible will overwrite it. + +[DEFAULT] + +ignoreip = {{ fail2ban.ignore }} +bantime = {{ fail2ban.bantime }} +findtime = {{ fail2ban.bantime }} +maxretry = {{ fail2ban.maxretry }} +destemail = {{ fail2ban.email }} +sender = root@{{ ansible_fqdn }} +banaction = nftables-multiport +action = %(action_)s + +#+++++++++++++++ Jails + +[sshd] +ignoreip = 127.0.0.1/8 +enabled = true +port = 0:65535 +filter = sshd +logpath = {{ fail2ban.logpath }} +action = %(action_mwl)s diff --git a/roles/debian/templates/nrpe.cfg b/roles/debian/templates/nrpe.cfg new file mode 100644 index 0000000..99329fd --- /dev/null +++ b/roles/debian/templates/nrpe.cfg @@ -0,0 +1,13 @@ +allowed_hosts={{ nagios_server }} +server_address={{ ansible_default_ipv4.address }} + +command[check_disk_root]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p / +command[check_disk_var]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /var +command[check_disk_usr]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /usr +command[check_disk_home]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /home +command[check_disk_tmp]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /tmp +command[check_dummy]=/usr/lib/nagios/plugins/check_dummy 0 +command[check_swap]=/usr/lib/nagios/plugins/check_swap -w 40% -c 20% -n OK +command[check_load]=/usr/lib/nagios/plugins/check_load -r -w 3.5,3.25,3 -c 4.5,4.25,4 +command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 400 -c 500 +command[check_memory]=/usr/lib/nagios/plugins/check_memory --available -m -w 20%: -c 10%: diff --git a/roles/debian/templates/nslcd.conf b/roles/debian/templates/nslcd.conf new file mode 100644 index 0000000..aeb7aa4 --- /dev/null +++ b/roles/debian/templates/nslcd.conf @@ -0,0 +1,16 @@ +# See nslcd.conf(5) for details. + +uid nslcd +gid nslcd + +uri {{ ldap_uri }} +idle_timelimit 60 + +base {{ ldap_base }} +binddn cn=nss,ou=admins,{{ ldap_base }} +bindpw {{ lookup(passbolt, 'nslcd', folder_parent_id=passbolt_folder).password }} +pagesize 500 + +filter group (&(objectClass=posixGroup)(cn={{ sysadmin_group }})) +filter passwd (&(objectClass=posixAccount)(memberOf=cn={{ sysadmin_group }},ou=dnGroups,{{ ldap_base }})) +pam_authz_search (&(objectClass=posixGroup)(cn={{ sysadmin_group }})(memberuid=$username)) diff --git a/roles/debian/templates/resolv.conf b/roles/debian/templates/resolv.conf new file mode 100644 index 0000000..52a1891 --- /dev/null +++ b/roles/debian/templates/resolv.conf @@ -0,0 +1,7 @@ +domain {{ host_domain }} +search {{ host_domain }} +{% if resolvers is defined %} +{% for resolver in resolvers %} +nameserver {{resolver}} +{% endfor %} +{% endif %} \ No newline at end of file diff --git a/roles/debian/templates/sudoers b/roles/debian/templates/sudoers new file mode 100644 index 0000000..0479f3a --- /dev/null +++ b/roles/debian/templates/sudoers @@ -0,0 +1 @@ +%{{ sysadmin_group }} ALL=(ALL) NOPASSWD: ALL